Bug 13369 - Looking up the user using the UPN results in user name with the REALM instead of the DOMAIN
Summary: Looking up the user using the UPN results in user name with the REALM instead...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.7.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-06 08:31 UTC by Andreas Schneider
Modified: 2020-08-19 03:22 UTC (History)
6 users (show)

See Also:


Attachments
patch for 4.7 (41.64 KB, patch)
2018-04-06 08:33 UTC, Andreas Schneider
no flags Details
patch for 4.7 (3.33 KB, patch)
2018-04-13 13:09 UTC, Andreas Schneider
no flags Details
patch for 4.8 (52.59 KB, patch)
2018-05-15 07:13 UTC, Andreas Schneider
metze: review+
Details
patch for 4.7 (53.59 KB, patch)
2018-05-15 07:15 UTC, Andreas Schneider
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2018-04-06 08:31:26 UTC
If the Windbind caches are cold and we look up the user using the UPN will result in user name with REALM+user instead of the DOMAIN+user.


Output showing the bug:

$ getent passwd bob1@EARTH.MILKYWAY.SITE                                                                                                                    
EARTH.MILKYWAY.SITE+bob1:*:100001107:100000513::/home/EARTH.MILKYWAY.SITE/bob1:/bin/bash

(It works if you use: getent passwd EARTH+bob)

Expected output:
$ getent passwd bob1@EARTH.MILKYWAY.SITE                                                                                                                    
EARTH+bob1:*:100001107:100000513::/home/EARTH/bob1:/bin/bash
Comment 1 Andreas Schneider 2018-04-06 08:33:58 UTC
Created attachment 14106 [details]
patch for 4.7

This is already fixed in Samba 4.8.
Comment 2 Volker Lendecke 2018-04-06 08:37:42 UTC
Is that really the right patchset? It's about the namemap cache being moved to gencache. How does this help?
Comment 3 Andreas Schneider 2018-04-06 15:47:36 UTC
The problem before was that if you looked up the user via UPN the REALM ended up in the cache instead of the DOMAIN name (getent passwd bob1@EARTH.MILKYWAY.SITE). You need to remove all cache tdbs to actually reproduce it.

If you looked it up via domain name (EARTH+bob1) it worked correctly.

You fixed that probably without noticing. And yes, I've bisected it down to that piece of code, backported the patches to v4-7 and verified again that it actually fixed the problem.

The patch fixing the issue is actually:

  [PATCH 8/9] winbindd: Move name<->sid cache to gencache
Comment 4 Andreas Schneider 2018-04-13 13:09:12 UTC
Created attachment 14133 [details]
patch for 4.7

This is a minimal version. However patch 2 is needed for master too.
Comment 5 Andreas Schneider 2018-04-19 12:30:19 UTC
Comment on attachment 14133 [details]
patch for 4.7

This needs more work.
Comment 6 Andreas Schneider 2018-05-15 07:13:51 UTC
Created attachment 14199 [details]
patch for 4.8
Comment 7 Andreas Schneider 2018-05-15 07:15:52 UTC
Created attachment 14200 [details]
patch for 4.7

The 4.7 is not complete, as quite some patches are missing to fully implement that. However it fixes the most serious issue and adds tests. This shows what is not working yet with 4.7.
Comment 8 Karolin Seeger 2018-05-24 07:14:22 UTC
Pushed to autobuild-v4-{8,7}-test.
Comment 9 Karolin Seeger 2018-06-04 06:51:00 UTC
Pushed to both branches.
Closing out bug report.

Thanks!